AusCERT 2014 Tutorials from Sense of Security

Nathaniel Carew, Nadeem Ahmed Salim and I have prepared a penetration testing tutorial for mobile applications, registration link is accessible from here. We're planning to explain test procedures of the mobile pen-test, testing tools and the cutting-edge techniques. We will cover iOS and Android platforms for the tutorial, the demonstrations prepared for these platforms as well. They will be based on sample vulnerable applications and real applications from the application stores. The followings are the headlines of the mobile pen-test tutorial.

Penetration Testing for Mobile Applications and Web Services

Mobile Applications 101

Preparing a mobile pen-test lab

Auditing platform integration

Compile options, Encryption, Storage, Caching, Logs

Reverse engineering

Unpacking, Deobfuscating, Permission Management

Source code analysis, Protection bypass, Sandbox Issues

Runtime manipulation, Debugging

Transport and communication features

Certificate pinning, MITM, Fake services

Moreover, Shawn Thompson and I have prepared an another tutorial as well, Next Generation Attacks and Countermeasures for VoIP. Registration link is accessible from here and the major tool of the tutorial, Viproy, is accessible from here. We're planning to demonstrate next generation VoIP attacks starting from the LAN attacks to the SIP, Skinny, Trust and Proxy attacks. The beta versions of the new Viproy modules will be in these demonstrations as well such as Skinny signalling protocol attacks, CDP support, Cisco vendor support for SIP, TCP and SSL support for SIP. We will prepare a test lab for the tutorial which includes different SIP servers, VLAN supported switch, Cisco SIP and Skinny services. The followings are the headlines of the mobile pen-test tutorial.

Next Generation Attacks and Countermeasures for VoIP

Network Infrastructure Analysis

WAN/LAN/VLAN analysis, Service discovery

IP Telephony Server Security

Weak configuration, Management issues

SIP, Skinny and RTP Analysis

Discovery, Authentication, Call tests, VAS

Enumeration, Eavesdropping, Call Spoofing

VoIP Clients’ Security

Advanced Attacks

Trust hacking, Proxy hacking, DoS, Fuzzing

If you have further questions about these tutorials, feel free to contact me at fatih.ozavci at viproy.com.